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CLAIM AMENDMENTS 

This listing of claims will replace all prior versions, and listings, of claims in 
the application. 



1 1. (currently amended) A method of configuring a network security system, 

2 comprising: 

3 a. forming a registry data structure for defining roles within a 

4 network , the registry data structure comprising a hierarchy of network types. 

5 each type comprising a definition of a network role, the network role being 

6 representative of a set of applications to be supported by the network : 

7 b. mapping network security policies to the registry data structure, 

8 said network security policies being contained in one or more policy 

9 documents, the one or more policy documents being in a standard document 

10 format language and being stored in machine readable form; and 

11 c. using a document transformation algorithm to transform the 

12 policy documents into one or more device-specific configuration documents 

13 stored in machine-readable form. 

1 2. (original) The method according to claim 1, further comprising generating 

2 instances of the roles and associated security policies, each instance being 

3 mapped to physical segments of the network. 

1 3. (original) The method according to claim 1, further comprising distributing 

2 the device-specific configuration documents to network entities for 

3 implementing the network security policies. 

1 4. (original) The method according to claim 1, wherein the registry data 

2 structure comprises a collection of documents that include information 

3 regarding the network roles and topology of the network. 

1 5. (cancelled) 

1 6. (cancelled) 
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1 7. (currently amended) The method according to claim [[5]]i, wherein when 

2 a parent network type is mapped to a policy contained in one of the policy 

3 documents, a child network type of the parent network type inherits the policy. 

1 8. (previously presented) The method according to claim 7, wherein when the 

2 child network type is mapped to a policy contained in one of the policy 

3 documents that is in conflict with the policy inherited from the parent, the 

4 policy mapped to the child takes precedence over the policy inherited from the 

5 parent, 

1 9. (currently amended) The method according to claim [[5]]i, wherein an 

2 instance of one of the network types is mapped to one or more physical 

3 network segments and wherein the network type includes a set of data fields 

4 for defining the physical network segments. 

1 10. (previously presented) The method according to claim 6, wherein at least 

2 one of the network types is an abstract type without an instance mapped to a 

3 physical network segment. 

1 11. (currently amended) The method according to claim [[5]]i, wherein each 

2 network type further comprises a data field for identifying a human 

3 administrator. 

1 12. (currently amended) The method according to claim [[5]]i, wherein each 

2 network type further comprises a data field for providing a human readable 

3 description of the network type. 

1 13. (original) The method according to claim 1, wherein the network security 

2 policies are representative of restrictions to be placed on one or more of the 

3 network roles in the registry data structure. 

1 14. (original) The method according to claim 1, wherein the policy 

2 documents are in extensible markup language (XML). 
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1 15. (original) The method according to claim 1 , wherein the docximent 

2 transformation algorithm is specific to a network entity utilized for 

3 implementing one or more of the security policies contained in the policy 

4 documents. 

1 16. (original) The method according to claim 15, wherein the document 

2 transformation algorithm includes style sheet language for transformation 

3 (XSLT) controlled by a script. 

1 17. (original) The method according to claim 16, wherein the script is 

2 specific to a network entity. 

1 18. (original) The method according to claim 16, further comprising a step of 

2 selecting the script fi-om among a plurality of scripts, each being specific to a 

3 different network entity. 

1 19. (original) The method according to claim 1 6, wherein the device-specific 

2 configuration documents are in plain text format. 

1 20. (currently amended) A apparatus for configuring a network security 

2 system, comprising: 

3 a. a registry data structure including a plurality hierarchy of 

4 network types, each network type being stored within a document in the 

5 registry and including a network role definition and a set of fields defining 

6 segments of a network , the network role being representative of a set of 

7 applications to be supported by the network ; 

8 b. security policy documents mapped to the registry data 

9 structure, each security policy document being in a standard document format 

10 language and being representative of restrictions to be placed on a network 

1 1 type in the registry data structure; and 

12 c. a document transformation algorithm for transforming the 

13 documents in the registry and the policy documents into device-specific 

14 configuration documents stored in machine-readable form. 
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